Did you restart the ossec processes on the agents? This has to be done for a new agent.conf to be used.
On Tue, Apr 12, 2011 at 11:02 AM, satish patel <[email protected]> wrote: > I have waited since last 24 Hrs. also i can see agent.conf file at > client side with ignore directory that mean it should work right ? > agent.conf propagated successfully. > > root@vmg035:~# md5sum /var/ossec/etc/shared/agent.conf > 87439ad234809a4e7436c444345484af /var/ossec/etc/shared/agent.conf > > [root@agent1 ~]# md5sum /var/ossec/etc/shared/agent.conf > 87439ad234809a4e7436c444345484af /var/ossec/etc/shared/agent.conf > > -S > > > > On Tue, Apr 12, 2011 at 10:31 AM, carlopmart <[email protected]> wrote: >> On 04/12/2011 04:21 PM, satish patel wrote: >>> >>> I wanted to ignore /etc/lvm/backup directroy and i have added it in >>> agent.conf file and restart all agents but still i have getting >>> notification :( am i doing wrong ? >>> >>> >>> root@vmg035:~# cat /var/ossec/etc/shared/agent.conf >>> <agent_config> >>> <syscheck> >>> >>> <!-- Frequency that syscheck is executed - default to every 2 hours >>> --> >>> <frequency>7200</frequency> >>> >>> <!-- Directories to check (perform all possible verifications) --> >>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> <directories check_all="yes">/bin,/sbin</directories> >>> >>> <!-- No scan at start service time --> >>> <scan_on_start>no</scan_on_start> >>> >>> <!-- Disable frequently changes files --> >>> <auto_ignore>no</auto_ignore> >>> >>> <!-- Files/directories to ignore --> >>> <ignore>/etc/mtab</ignore> >>> <ignore>/etc/mnttab</ignore> >>> <ignore>/etc/hosts.deny</ignore> >>> <ignore>/etc/mail/statistics</ignore> >>> <ignore>/etc/random-seed</ignore> >>> <ignore>/etc/adjtime</ignore> >>> <ignore>/etc/httpd/logs</ignore> >>> <ignore>/etc/utmpx</ignore> >>> <ignore>/etc/wtmpx</ignore> >>> <ignore>/etc/cups/certs</ignore> >>> <ignore>/etc/dumpdates</ignore> >>> <ignore>/etc/svc/volatile</ignore> >>> <ignore>/etc/motd</ignore> >>> <ignore>/etc/printcap</ignore> >>> <ignore>/etc/prelink.cache</ignore> >>> <ignore>/etc/lvm/backup</ignore> >>> </syscheck> >>> >>> ..... >>> ..... >>> ..So..on.. >> >> Check if md5sum is the same on server and agent for the agent.conf file ... >> >> Normally, you need to wait some minutes on the agent side until server push >> new agent.conf file ... >> >> Bye. >> >> >> -- >> CL Martinez >> carlopmart {at} gmail {d0t} com >> >
